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Abstract. This paper presents two algorithms on certain computations about 
Pisot numbers. Firstly, we develop an algorithm that finds a Pisot number a 
such that Q[a] = F given a real Galois extension F of Q by its integral basis. 
This algorithm is based on the lattice reduction, and it runs in time polynomial 
in the size of the integral basis. Next, we show that for a fixed Pisot number a, 
one can compute [a n ] (mod m) in time polynomial in (log(mn))°f 1 ^ , where 
m and n are positive integers. 



Introduction 

A Pisot number (or Pisot- Vijayaraghavan number) is a real algebraic integer 
greater than 1, whose Galois conjugates over Q are all of modulus strictly less than 
1. Generally, given a real number e > 0, an algebraic integer is called an e— Pisot 
number if all its Galois conjugates have modulus less than e [7 a . The most famous 
Pisot number is the golden radio ■ Pisot numbers have many interesting prop- 
erties in their own right. Not surprisingly, they have many applications in diverse 
areas, such as harmonic analysis, statistics and the Diophantine approximation. 
For an introduction to the Pisot numbers, we refer the reader to the books [13] and 

m- 

In this paper, we study two computational problems about Pisot numbers: one 
is to find a Pisot number generating a real Galois number field, and the other is to 
compute the modular exponentiation of a Pisot number. 

There are several known ways to find Pisot numbers in different situations. To 
name a few: Dufresnoy and Pisot [6] developed a method to find all Pisot numbers in 
the real interval [1, 1+ g + e], where < e < 0.0004. Boyd [IJ modified Dufresnoy 
and Pisot's algorithm to determine all the Pisot numbers in an interval of the 
real line [a, /3] if there are finitely many in the interval. Bell and Hare [5] gave 
a classification of some Pisot-Cyclotomic numbers. Utilizing the Lenstra-Lenstra- 
Lovasz (LLL) algorithm pQ, we show the following result. 

Theorem 0.0.1. Let ¥ be a real Galois extension over Q given by its integral 
basis (3\ , • • • , /?& . There exists a polynomial time algorithm to determine integers 
ai, d2, ■ ■ ■ , Obk such that 

a = atpi H h a k (3 k 

is a Pisot number and Q[a] = ¥. 

Remark 0.0.2. There are many ways to represent an algebraic number [5 . For 
example, one can represent an algebraic number by its minimal polynomial and a 
complex number, which is closer to the number than any of its conjugates. The 
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size of an algebraic number is defined to be the size of its minimal polynomial. 
The size of an integral polynomial 53i=o a i x< * € (ad 7^ 0) is defined to be 

dlog(maxi{|ai| + 1}). In many of our examples, we work in the real sub-field of 
a cyclotomic field Q(C) ; where £ is a primitive root of unity. This allows us to 
represent an algebraic number as an element in Q[£]. 

Remark 0.0.3. For many number fields, integral bases are known. However, com- 
puting an integral basis of a number field is, in general, not an easy problem, as it 
involves factorization of a large integer [5] . 

It is well-known that for a Pisot number a, a™ is exponentially close to an 
integer as n grows. In this paper, we investigate the problem of computing the 
integer [a n ] and its remainder modulo a positive integer m, where [*] denotes the 
function to the nearest integer. Modular exponentiation is the most important 
operation in implementation of a public key cryptography. By using the repeated 
squaring algorithm, a™ can be computed using only O(logn) many multiplications, 
and hence, a n (mod m) can be computed efficiently if a is an integer. However, if 
the base of the exponentiation a is not an integer, then the problem of computing 
[a n ] is considered to be hard. Note that [a n ] can be too large to be outputted, 
but in many cases, we are interested in the number of basic operations in integers 
to produce the number, regardless to the size of the operands. To this end, Tau 
functions were introduced to measure the complexity of an integer [2j . 

Definition 0.0.4. A straight-line program to compute an integer n £ N is a se- 
guence of ring operations (namely, addition, subtraction and multiplication) to pro- 
duce the integer n from the constant 1. Let r(n) be the length of the shortest 
straight-line program computing n. For a sequence of integers X\,X2, • ■ ■ , Xi, ■ ■ ■ , if 
there exists a polynomial p such that r(x„) <p(logn), then the sequence of integers 
is called easy to compute. Otherwise, we say that the sequence is hard to compute. 

Many well-known integer sequences are conjectured to be hard to compute, e.g. 
n\. Pascal Koiran [TU] conjectured that the sequences l^-s/^J and [(3/2)"J are also 
hard to compute. Here we show that, on the contrary, a similar sequence [a n ] is 
easy to compute if a is a Pisot number. Namely, we show the following: 

Theorem 0.0.5. For a fixed Pisot number a, we can find a straight-line program 
of length O(logn) for [a 11 ] in time (logn) ^ 1 '. Hence, 

r([a n }) = O(logn). 

As a corollary, we prove that the problem of computing the modular exponenti- 
ation of a Pisot number is easy. More precisely, 

Corollary 0.0.6. Given a Pisot number a, and two positive integers m and n, 
there exists an algorithm to compute [a n ] mod m in time (log(m,n))°^ . 

The paper proceeds as follows: Section 1 demonstrates the first algorithm to 
determine a Pisot number generating a given real algebraic field and proves the 
Theorem 0.0.1. Section 2 describes the algorithms to find a straight-line program 
for [a™] and to compute [a™] mod m of a given Pisot number a and proves the 
Theorem 0.0.5 and Corollary 0.0.6. 

Notations: Let the lowercase letters in bold and the capital letters in bold 
represent vectors and matrices, respectively. 
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1. AN ALGORITHM TO SEARCH A PlSOT NUMBER IN A TOTALLY REAL NUMBER 

FIELD 

1.1. Preliminaries. Let R™ be the n— dimensional Euclidean space. A (full rank) 
integral lattice is the set 

n 

C = {^2xibi\xi E Z}, 

i=i 

where bi,b2,-- , b„ are linearly independent vectors over R and b^ 6 Z™ for 
1 < i < n. The determinant of the lattice is defined to be the absolute value of the 
determinant of the matrix (bij), where bij is the j— th coordinate of b^. 

Minkowski's convex body theorem (page 12 in [TT]) asserts that given any convex 
set in M n , which is symmetric with respect to the origin and with volume greater 
than 2"det(jC), there exists a non-zero lattice point in the set. As a corollary, 
Minkowski's first theorem says that the length of the shortest vector in C satisfies 

Ai < V^det(C) 1/n . 

While no known efficient algorithm can find the shortest vector, or even a vector 
within the Minkowski's bound, there are polynomial time algorithms to approxi- 
mate the shortest vector in a lattice. The Lenstra-Lenstra-Lovasz (LLL) algorithm 
can find in polynomial time a vector whose length is at most (2/^/2>) n times the 
length of the shortest vector of a lattice (see page 33 in [H]). The Block-Korkine- 
Zolotarev (BKZ) algorithm can achieve a better approximation factor. In this 
paper, we use the LLL reduction algorithm, which is adequate for our purpose. 



1.2. The problem and the idea. Let F be a real algebraic field and let /3i, • • • 
be its integral basis. Each algebraic integer in F can be represented as 

a = zifii H h z k /3 k , 

where z\, z^, ■ ■ ■ ,Zk are rational integers, and its conjugates are 

(Ji(a) = zi<Ti(J3i) H h z k (Ji{Pk), (1 < i < k - 1), 

where each cri(l<i<fc — l)isa field automorphism of F. 

Let us consider the lattice C generated by the k column vectors of the following 
matrix: 

01 I3 2 ■■■ Pk 

triifii) <ti (/3 2 ) •■■ 01 (ft) 



D 



o-fe-i(/8fc). 



We note that the square of the determinant of the matrix D is the discriminant of 
the field F. Each column of D consists of one element of the integral basis and its 
conjugates, thus each vector in the lattice C corresponds to an algebraic integer of 
F given by its first element. 

It can be proved that there exist Pisot numbers in the field F by applying 
Minkowski's theorem on the lattice C [H] and [T31 Page 3]. Furthermore, we can 
derive an upper bound of the minimal Pisot number from the above proof. For the 
completeness, we include the modified proof below: 
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Lemma 1.2.1. |13j Let¥ be a real algebraic field with discriminant Ap. Given a 

real number < S < 1, there exists a Pisot number a bounded by B = ^ k A f such 
that Q[a] = F. 

Proof. Firstly, we show the existence of Pisot numbers in the field. For any positive 
real number B and S < 1, all the points (n, r^, • • • , r k ) € satisfying 

\n\<B and \n\ <S,(l<i<k-l) 

form a hyper-cuboid of volume 2 k B5 k ~ 1 . If BS k ~ 1 > y/\A$\, which can be satisfied 

by set B = ^il^f . Then by Minkowski's convex body theorem, there exists a 
nonzero lattice point of C in the convex body. In other words, there exists rational 
integers Zi, ■ ■ ■ ,Zk such that 

\zipi + --- + z k f3 k \ < B, 

\zi*i(fii) + ■■■ + z k a l {p k )\ <S<l(l<i<k-l). 
Hence, the algebraic integer 

a = zi0i H h z k /3 k 

is a Pisot number by definition. 

Next, we need to show that Q[a] = F. By definition, a is greater than any of 
its conjugates. If we denote e = [Q[a] : Q], / = [F : Q] and suppose e < /, then we 
have e\f and let f = ed for some d £ Z. Thus, a will appear d times in its Galois 
conjugates, which is a contradiction with the definition of the Pisot number. □ 

1.3. The algorithm and its correctness. The above lemma demonstrates the 
existence of the Pisot number in a real algebraic field. However, the proof is non- 
constructive; it does not provide an efficient method to find a Pisot number. The 
key idea of our algorithm below is to construct a new lattice similar to C and to con- 
vert the problem of determining a Pisot number in a given total real field into the 
problem of finding a vector in the lattice, whose length approximates the shortest 
vector. 

Let P be a positive real number, we construct another lattice Cp generated by 
the k column vectors of the following matrix: 



(1.3.1) 



Note that 



D 



p = 



Pi h 
Pax{fix) Paiifo) 



D = Di and det(D P ) = P^ 1 det(D). 



We observe: 

• From Minkowski's Theorem, we conclude that there is vector in Cp with 
length at most Vk */pfc-i det(D); 

• On the other hand, if a vector is not corresponding to a Pisot number, then 
its length is at least P. 
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So we can choose an appropriate P such that the gap between \f~k ^/pfe-i det(D) 
and P is large enough, then the LLL algorithm can find a short vector of length less 
than P, which must correspond to a Pisot number. Our algorithm can be described 
as follows: 



Algorithm 1 

Input: Integral basis /3i, • • • , f3 k of a real Galois extension F over Q. 

(1) Compute P to be an integer bigger than (-^=)' c2 fc fe / 2 det(D); 

(2) Construct the basis of the lattice Cp as the columns of the matrix D p 
defined by Equation p. 3. II) : 

(3) Run LLL algorithm on the basis of Cp; 

(4) Recover the Pisot number which is the absolute value of the first ele- 
ment of the returned approximate shortest vector. 

Output: A Pisot number. 



Now we proceed to prove Theorem 0.0.1. We need to show that the proposed 
algorithm is correct and it runs in polynomial time of the input size. 

Proof, (of Theorem 0.0.1) Firstly, we need to show that this algorithm returns a 
Pisot number. According to Minkowski's Theorem, there is a nonzero vector in Cp 
of length at most \fk \J P fe -i dct(D). On the other hand, for any algebraic integer 



XkPk in F that is not a Pisot number, the vector 
/ Pi \ 

+ x 2 



i h \ 




( h \ 










H h x k 




\Pa k -i(l3 2 )J 







in the lattice has length at least P, since there exists 1 < i < k — 1 such that 



\ Xl P(Ti{Pl) + ■■■+ X k P<Ti(j3 k )\ = P\xKTi(Pl) + ■■■ 

If we set P > (-^) fc2 fc fc /2 det(D), then 



X k (Ti(0 k )\ > P- 



then the vector returned by the LLL algorithm will have length less than P, which 
must correspond to a Pisot number. 

Next, we need to show that the returned Pisot number a is a primitive element 
of the field. By definition, a is greater than any of its conjugates. If we denote 
e = [Q[a] : Q], / = [F : Q] and suppose e < /, then we have e\f and let / = ed for 
some d € Z. Thus a will appear d times in its conjugates, which is a contradiction 
with the definition of the Pisot number. 

At last, we analyze the running time of the algorithm. First we observe that 
logP = (k det(D))°( 1 ' . The most costly part of the algorithm is Step 3, where the 
LLL algorithm runs in polynomial time of the size of the lattice basis. Thus the 
overall time of the algorithm is polynomial in the size of the integral basis. 

□ 

Remark 1.3.1. Given a real number e > 0, if we choose P such that 

P> (-^=) fc V/ 2 det(D)/e fc , 



6 



QI CHENG AND JINCHENG ZHUANG 



then we have 

sP> (-^=) fe V /2 dct(D). 
Hence, the algorithm actually determines an s—Pisot number in this case. 

1.4. Examples. In the following examples, we use the lattice functions in Victor 
Shoup's NTL package. 

Example 1.4.1. Let us illustrate our algorithm by taking the field Q(2cos||-) as 
an example. The extension degree k — [Q(2cos : Q] = £LM>1 = 4 an d an integral 
basis is given by 

271" n n 47T n n 8lT n „ 147T 

Pi = 2cos— ,/3 2 = 2cos— ,/3 3 = 2cos— ,/3 4 = 2 cos— . 

(1) Choose e = 0.5 7 compute P = 85769 > (^j) 16 * 4 2 * % /Il25 * 16; 

(2) Construct the basis of Cp as the column vectors of Tip; 

(3) Run LLL algorithm over the basis of Cp; 

(4) Recover the Pisot number which is the following: 

a = 2105/?i + 1215/3 2 + 1440/3 3 + 139/3 4 . 

Remark 1.4.2. We note that in the second step we first compute Po~i(f3j) then 
take the integer part as the input of the matrix. And we can check that the Galois 
conjugates of the returned number are: -0.063765..., 0.065726..., and -0.048703.... 



Example 1.4.3. Now let's look at another example, the field Q^cos 2 ^)- The 

ext 
by 



IT 

extension degree k = [Q(2cos|y) : Q] = = 8 and one integral basis is given 



n n 27T 47T 67T 8ir 

Pi = 2 cos— ,(3 2 = 2 cos— ,p3 = 2 cos— ,(3 4 = 2 cos— , 

IOtt n „ 12tt „ „ 14tt „ „ 16tt 
p5 = 2 cos— , As = 2 cos— ,pV = 2 cos— ,/3 8 = 2 cos— . 

(1) Compute P = 825982306366 > (^=) 64 * 8 4 * V410338673; 

(2) Construct the basis of Cp as the column vectors of Dp; 

(3) Run LLL algorithm over the basis of Cp; 

(4) Recover the Pisot number which is the following: 

a = - 24708871/3i - 95498414/3 2 - 202808109^3 - 332145187/3 4 
- 466041959/3 5 - 586414924^ 6 - 677007046/3 7 - 725583357/%. 

Remark 1.4.4. We can compute the Galois conjugates of the returned number 
are: 0.039500..., 0.048267..., 0.064900..., -0.019990..., -0.057987..., 0.062209... 
and 0.036031.... 

2. An algorithm to compute modular exponential of a Pisot number 

2.1. The problem and the idea. Given a Pisot number a of degree d and its 
minimal polynomial over Q 

f(x) = x d + c d _ x x d - x + ■ ■ ■ + Cl x + c , 

we want to determine a straight-line program for [a n ] and then to compute [a n ] 
mod to, where n, m are given positive numbers. 
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Lemma 2.1.1. Given a Pisot number a% of degree d with conjugates c<2, 



, ad, lad > 



\oii\,3 <i<d. Ifn > log| Q3 | j(J=i)' then 



ari = a. 



Proof. Suppose n > logi a 



|a 2 | 2(d-l) 



we have 



K + -- + a5l<(d-l)|a a r< 

Note that for any given positive integer n, a™ + a?, 1 + ■ ■ 
Thus we deduce if n > log| Q2 | 2 (d-i) » then 



1 



aJJ is an integer itself. 



□ 



Lemma 2.1.1 shows that we can convert the problem of finding [a n ] of a Pisot 
number a to the computation of a n + a 1 ^ + ■ ■ ■ + a^ when n > log| Q2 | 2(<i-i) ■ wnere 
0^2, • • • ,ad are conjugates of a. For the sake of consistency, we will sometimes 
write o;i in the place of a below. 



2.2. Notations and preliminaries. Let the polynomial f(x) = x d + Cd-\x d ~ x + 

■ ■ ■ + c\x + co be the minimal polynomial for a Pisot numuber a over Q. The 
companion matrix [8 of the polynomial f(x) is defined by 



C(/) 





1 
1 





-c 

o -a 

-ca 

1 -cy_] 



Since fix) is irreducible over Q[x], it has distinct roots a±,a2, 
companion matrix is diagonalizable as follows: 



, ad ■ Thus the 



vc(/)v- 1 = 



ai 



ad 



where all the non-diagonal elements are zero and V represents the Vandcrmondc 
matrix corresponding to the etc 



V 



a\ of 
a 2 a\ 



a d a d 



a 



4~ v 

d-l 



.4-1 



2.3. The algorithm and its correctness. Given a Pisot number a of degree d 
with conjugates a%, ■ ■ ■ ,ad and its minimal polynomial over Q 

f(x) =x d + Cd^ix 11 - 1 H h Cix + c , 

firstly, we determine T([a™]), where n are given positive numbers. 
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Algorithm 2 

Input: A Pisot number a with conjugates 02, ■ ■ ■ , &d an d its minimal poly- 
nomial over Q: f(x) = x d + Cd-\x d ~ x + • • • + C\x + c and a positive integer 
n. 

(1) If n < log| Q2 | 2(Z=T) > com Pu te [«"] directly; 

(2) If n > log| Q2 | 2^iy, 

(a) Construct C(/); 

(b) Find a straight-line program for every entry of C™(/) utilizing the 
repeated squaring algorithm; 

(c) Compute the trace of C™(/). 
Output: A straight-line program of computing [a™]. 



Now we proceed to prove Theorem 0.0.5, namely, we need to show that the 
proposed algorithm is correct, and the number of basic operations involved is poly- 
nomial in the input size. 

Proof. ( of Theorem 0.0.5 ) Firstly, we show that the algorithm is correct. When 
n > log| Q2 | 2 (d-i) ' by Lemma 3.1, we have 

r ni n 1 , n 

[a \ = a 1 + ■ ■ ■ + a d . 

Since the conjugates of a are distinct, the companion matrix of f(x) can be 
diagonalized as 



vc(/)v- 1 



where all the non-diagonal elements are zero and V represents the Vandermonde 
matrix corresponding to the on . We have 



l\n 



(VC(.f)V- 1 ) 



Because 
we have 



(VC(.f)V- 1 )" = vc n (/)v- 1 , 

trCVC^V- 1 ) = tr((VC(/)V- 1 )") 
= < + ■■■+ 

= [«"], 

where tr is the trace function of the matrix. Furthermore, we have 

tr(C"(/))=tr(VC"(/)V- 1 ), 

hence 

tr(C"(/)) = [a"]. 

Next, we analyze the number of basis operations needed. Since the computation 
of the the matrix C™(/) takes O(logn) matrix multiplications and other steps take 
constant number of operations, we have 

r([a n }) = 0(logn). 

□ 
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We can modify the last algorithm to compute the modular exponentiation of a 
Pisot number as follows: 

Algorithm 3 

Input: A Pisot number a of degree d given by its minimal polynomial over Q: 
f(x) = x d + Cd-ix^ 1 + • • • + c\x + co, two positive integers to, n. 

(1) Construct a straight-line program of length O(logn) for [a™]; 

(2) Evaluate the straight-line program in the ring IjrnL. 

(3) Output the last step of the straight-line program. 
Output: [a n ] mod to. 

Sketch of the proof of Corollary 0.0.6: we need to show that the proposed al- 
gorithm is correct and it runs in polynomial time of the input size. The proof 
is similar with the proof of Theorem 0.0.5 except that here we compute C™(/) 
mod to instead of C n (/) which makes it run in time (log(TOn)) ' 1 ^ . 

3. Concluding remarks 

In this paper, we present two deterministic polynomial time algorithms about 
certain computations of Pisot numbers. The first one is to search a Pisot number 
a such that Q[a] = F given a real Galois extension F of Q with integral basis. We 
remark that we can find Pisot numbers with high degree utilizing the algorithm. 
The second one is to compute the modular exponentiation of a Pisot number. 
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